Shoutbox

Just downloaded MP2

Great work

Any idea when scripting will be included... Been getting very excited about this!

Keep up the good work,


James

Wouldn't be unsecure.  Then i mean, anyone could just script something and it can do something to MP2 and maybe Messenger?

For those of you who can't wait to the end of my message, the conclusion is: "Making the scripting security to depend only on the file transfer accept/decline is still very risky."

Consider the following: Think of MSN (or Windows) Messenger as scriptable, speaking of what Patchou and other software writers do to extend Messenger's capabilities. Having said this, now think of all the worms that use Messenger as a spreading platform. People without the knowledge we have regarding Messenger accepts files and execute them without thinking twice. Please keep this in mind while reading my message.

Also, remember all the problems that scriptable mIRC clients imply, and also what happened when Office (Word, Excel...) applications started accepting programmable macros. Let's not make the same mistake.

Now, let's get back to MP2. Imagine an event like "OnAfterFileTransfer" which executes the file. If I write a small trojan .EXE which installs an MP2 script which secretly works in that event, executing any received file, I will no longer be able to receive files safely without executing them. Subsequent incoming files could be other worms which, would autoexecute themselves, which would turn this into a disease.

If the scripting includes an "OnStartup" event and allows the scripts to modify Messenger Plus! configuration, it is very easy to hide a worm and execute it each time Messenger (or MsgPlus) runs, reenabling worms frequently.

The last example almost speaks for itself: an "OnBeforeFileTransfer" which has been hooked to auto-receive files. Imagine it working together with the scenario I wrote for the hypotetical OnAfterFileTransfer.

This are the three most critical points I'm worried about. There are several other possible exploit points out there in any scripting environment. I would not like to see a worm named "worm.E@mmp2" (referring to Messenger Plus) or something like that.

Blaming a user who (typically) doesn't know or care about worms for accepting a file and executing it, will only be the defense against the already created disease. My different initial proposals to avoid these potential situations are:

1. Pesimistic: Not to have these kind of events planned.
2. Optimistic: To ignore this issues.
3. A somewhat better option ;) -- When calling OnBeforeFileTransfer and OnAfterFileTransfer, not to pass the received file name. Also, to have a special special .INI file in the Plus directory, or a RegistryKey for MP2 which, before any script processing, controls wether scripting (or part of it) should be enabled or disabled, so you can recover your Messenger sessions quickly in case of an infection.

Does anybody know if, using the proposed platform by Patchou, srcipts would be able to become resident after Messenger and Messenger Plus shuts down? I'm asuming they aren't able to.

Octavio.

This would still be something that virus scanners would pick up on pretty quickly I think. There are warnings everywhere saying not to accept files from people you don't know and to virus scan every file you receive anyway. If your virus checking client has an auto-protect function then it will automatically scan the file before it is allowed to be called by MP2 so it makes scenarios such as you suggested possible but still something that can pass the blame back to the user who accepted the file transfer (unless another script accepts it automatically, but that would still involve accepting a file transfer at some point), and also could blame the user for not having virus-scanning software installed.

I don't like viruses. I don't like worms. (sounds like a poem)
They are like twisters, worse than a storm. (huh? j/k)

Moria, your approach is to correct the created problem.

My approach is to prevent the problem from being created.

Both have advantages and disadvantages. Namely, a disease and affecting the name of MsgPlus versus some lack of liberty for writing scripts.

I know Patchou will make a good decision, whatever it is. I just hope Patchou reads the message.

Octavio.

Hey guys, I'm new here...

In what version will this be inserted? Is it going to be in the next version? Or do we have to wait a little bit longer?

Greetz
JustMe

I dont think anyone knows yet - Patchou has just said 'later'.

(Yes - I exist, slightly )

quote:

---

Originally posted by MoRiA
I dont think anyone knows yet - Patchou has just said 'later'.

(Yes - I exist, slightly )

---

probably version 2.1. But thats after the Public Release. However, Patchou being sick. He's unable to do anything now.

errr... I didn't have time to read this whole post since the last time I read it so Ill be blunt...

What happend to the scripting? Is it still in or is it gone?

Thanks!

quote:

---

Originally posted by sock


Sorry, I had to do this.

---

This is goddamned hilarious.  I almost fell out of my chair when I saw it.  lmfao